Cybersecurity (un)aware citizen

Human trust and complacency are, unfortunately, exploited for thousands of years. Nothing much has changed thus far and cybersecurity unaware citizens and workforce are easy prey to cybercriminals. Hence, there is a need for much-improved cybersecurity awareness across the board.

A few historical afcts

The introduction of new information and communication technologies (ICT) positioned modern societies in a constant state of flux. The consequence is that the evolution of technology increases risk and its safe and secure use. Safety and security awareness is no longer simply a luxury, but a necessity as cybersecurity threats come in various forms (e.g. intrusion, denial of services, viruses) and are increasingly threatening individuals, companies and national critical digital infrastructure.

The targets of cyber-attacks include physical infrastructures and telecommunications devices that allow for the connection of technological and communication system networks, computer systems and the related software, networks between computer systems as well as organisational and private data. We are now witnessing the newest, highly worrying trend of cyber-attacks on hospitals and medical networked devices.

History of cybersecurity shows a plethora of examples ranging from computer ‘worms’ that disabled ARPANET in 1988, through the denial of service (DoS) in the mid-2000s to nowadays ransomware attacks that maliciously lockup individual and organisational data. Ransom amounts demanded could range from a few hundred to several million Rand.

Cybersecurity awareness today

The cybersecurity status quo shows frightening facts: every second 9 new pieces of malware are discovered; 97% of fortune 500 companies know that they have been hacked but it took them an average 188 days to detect malware; ransomware attacks increased 30% in Q1 of 2016 alone. Hence, no wonder that more than 100 governments have created a kind of cyber centres or even military command. Even cities, such as Los Angeles, create cybersecurity centres.

Our preliminary research, however, shows that citizens and many organisational users of ICT are vastly unaware of the risks posed by the unsafe or unsecured use of these technologies. These risks will exponentially multiply with an increased use of already pervasive ‘smart’ mobile devices and Cloud Computing services as well as the use of the networks of connoted devices, also known as the Internet of Things (IoT). This network will offer to the cybercriminals numerous opportunities to unlawfully penetrate interconnected computer networks and cause irreparable damages.

Raising cyber security awareness among citizens (and also organisational users) , hence designates the first step in successfully addressing cybersecurity issues. In other words, this should be an initial step in forming the ‘cyber intelligent’ citizenry.

Political activism, carried out by the use of computers and digital networks (often called ‘hacktivism’), become well known through, for example, activities of WikiLeaks or the network of hackers known as Anonymous.

Espionage is yet another type of cyberattacks, usually performed by another government’s cyber intelligence. Degradation of infrastructure (e.g. power grids, railway) and damage to property by the use of digital networks, which can also cause human casualties, is classified as ‘cyber terrorism’.

Cyber-war is getting off with a help of cybercriminals

The use of digital technologies to disrupt the activities of a state or organization is known as ‘cyberwar’. While, fortunately, we still do not have real examples of cyber terrorism, an example of cyber war is the attack, launched sometime between 2007 and 2010 by foreign governments on the Iranian nuclear facilities, with the malware (‘worm’) known as ‘Stuxnet’. This attack considerably slowed down development of Iranian nuclear programme.

One of the biggest problems associated with ‘Stuxnet’ was the time need to detect this malware – it took well over a year to discover it! In fact, studies show that attacked organisations, on average need 173 days to discover these attacks. Due to the late detection, penetrated organisations suffer costs of US $300 billion (1% of GDP) per year.

On the other hand, to fix a cyber infection caused by a wrong click on an email or website by users, can cost companies about $250,000. According to statistics, companies experiences about 10 attacks per week on average . Disruption of (digital) services (DoS) is yet another area of cyber attacks that can cause significant revenue losses, operational disruption or damage to national or organisational ICT assets.

The newest reports highlight that cybercriminals are increasingly moving towards more complex threats, whether through e-mail ‘phishing’, ‘social engineering’ schemes or other means by exploiting the weakest link in cybersecurity – humans. As technology users in organisations or as individual users (citizens), people tend to do unexpected and potentially harmful things, like clicking on unreliable links or downloading stuff from untrustworthy websites.

The unintended harms usually happen due to unawareness or carelessness. A recent study, aimed at testing cybersecurity readiness in one big organisation, revealed that 30% of computer users clicked on dangerous email ‘phishing’ link – despite the warning that they were to receive such bogus emails. Another study shows that 55% of cybersecurity attacks come from internal actors due to misused or abused access privileges.

Making good ‘cybercitizens’ and cybersecurity responsible workforce

It is well-known fact that modern information and communication technologies can bring numerous benefits but these benefits can easily melt by successful cyber-attacks. While cybersecurity technologies are advancing, it seems that weaknesses related to the human factor need an urgent action. This should range from awareness campaigns to cybersecurity skilling, which includes re-skilling and up-skilling as both technology and cyber-attacks advancements are happening at the lightning speed.

While some organisations are launching cybersecurity awareness programs, citizens are rarely offered such a programme or campaign. In this regard, government responsibility cannot be ignored but governments cannot do the job alone. Instead, the collaborative action of public, private and non-profit sectors is needed for effective advocacy, leadership and skilling cybersecurity actions.

There is also an immediate need for improving cybersecurity culture at the organisational and societal level, which must include clearer guidance on what it means to be a ‘cyber-aware’ or ‘cyber intelligent’ citizen.

Making good ‘cybercitizens’ and cybersecurity responsible workforce is, however, not a straightforward task. We live in worldwide economic, political and social crisis times and many factors will influence our national and organisational cybersecurity readiness.

A stagnant economy pushes for an increased productivity and reduced costs, often realised through the deployment of modern ICT. Modernising economy and ICT infrastructure, however, multiplies possibility of cybercrime activities. The same applies to the critical service delivery.

Possible tension between government and industry regarding responsibility for cybersecurity or between data protection and information sharing can also negatively impact on cybersecurity readiness of our citizens and the organisational ICT users. However, the stake is too big to lose, and these tensions must be addressed in future cybersecurity advocacy and awareness programmes and campaigns. And this is needed urgently if we are to build a successful digital economy and information society in South Africa.